Bug#290803: login: /var/log/btmp is created with insecure permissions
Package: login Version: 1:4.0.3-30.7 Severity: critical Tags: security Justification: root security hole It seems that /var/log/btmp is created as a world readable file. This is insecure (and it is reported by 'tiger') because this file contains failed logins , including unknown usernames. It is possible for a user to see the root password (and others too) by running /usr/bin/lastb. Tiger reports this as an error: # Checking for existence of log files... --FAIL-- [logf005f] Log file /var/log/btmp permission should be 660 -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.10-1-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages login depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libpam-modules 0.76-22 Pluggable Authentication Modules f ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g0.76-22 Pluggable Authentication Modules l -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#290803: login: /var/log/btmp is created with insecure permissions
On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote: Package: login Version: 1:4.0.3-30.7 Severity: critical Tags: security Justification: root security hole It seems that /var/log/btmp is created as a world readable file. This is insecure (and it is reported by 'tiger') because this file contains failed logins , including unknown usernames. Aren't the usernames alwyas visible in /etc/password? It is possible for a user to see the root password (and others too) by running /usr/bin/lastb. lastb isn't show me any passwords; just valid usernames as seen in passwd and dates. Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#290803: login: /var/log/btmp is created with insecure permissions
On Sun, Jan 16, 2005 at 10:36:46PM +0200, Stefanos Harhalakis wrote: On Sunday 16 January 2005 22:24, Justin Pryzby wrote: On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote: Package: login Version: 1:4.0.3-30.7 Severity: critical Tags: security Justification: root security hole It seems that /var/log/btmp is created as a world readable file. This is insecure (and it is reported by 'tiger') because this file contains failed logins , including unknown usernames. Aren't the usernames alwyas visible in /etc/password? It is possible for a user to see the root password (and others too) by running /usr/bin/lastb. lastb isn't show me any passwords; just valid usernames as seen in passwd and dates. It also contains unknown usernames. Really? $ strings /var/log/btmp UNKNOWN pryzbyj root UNKNOWN $ lastb UNKNOWNSun Jan 16 15:40 - 15:40 (00:00) root Sun Jan 16 15:21 - 15:21 (00:00) pryzbyjWed Jan 12 13:25 - 13:25 (00:00) UNKNOWNWed Jan 5 11:22 - 11:22 (00:00) btmp begins Wed Jan 5 11:22:54 2005 Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#290803: [v13@it.teithe.gr: Re: Bug#290803: login: /var/log/btmp is created with insecure permissions]
- Forwarded message from Stefanos Harhalakis [EMAIL PROTECTED] - X-Original-To: [EMAIL PROTECTED] From: Stefanos Harhalakis [EMAIL PROTECTED] To: Justin Pryzby [EMAIL PROTECTED] Subject: Re: Bug#290803: login: /var/log/btmp is created with insecure permissions Cc: [EMAIL PROTECTED] X-Spam-Score: 0.5 (/) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on steelfarms.net X-Spam-Level: X-Spam-Status: No, hits=0.9 required=5.0 tests=FROM_ENDS_IN_NUMS autolearn=no version=2.63 On Sunday 16 January 2005 22:24, Justin Pryzby wrote: On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote: Package: login Version: 1:4.0.3-30.7 Severity: critical Tags: security Justification: root security hole It seems that /var/log/btmp is created as a world readable file. This is insecure (and it is reported by 'tiger') because this file contains failed logins , including unknown usernames. Aren't the usernames alwyas visible in /etc/password? It is possible for a user to see the root password (and others too) by running /usr/bin/lastb. lastb isn't show me any passwords; just valid usernames as seen in passwd and dates. It also contains unknown usernames. This includes any logins that you've entered the password (or something else) as the username. If you enter test123 as the username then the btmp will contain the word 'test123' which can be your root or user password. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
